veryroundbird.house / core
forked from tangled.org/core
this repo has no description
fork atom

appview: pages/markup: enable html.Unsafe in renderer

subsequently, every RenderMarkdown call has been wrapped with
bluemonday sanitization.

oppi.li 3a3da0b3 87548bc0

options
unified split
Changed files
+5 -2
appview
pages
funcmap.go
markup
markdown.go
pages.go
+2 -1
appview/pages/funcmap.go 
···

       
13

       
13

       
 

       
	"time"


     

       
14

       
14

       
 

       



     

       
15

       
15

       
 

       
	"github.com/dustin/go-humanize"


     

       

       
16

       
+

       
	"github.com/microcosm-cc/bluemonday"


     

       
16

       
17

       
 

       
	"tangled.sh/tangled.sh/core/appview/filetree"


     

       
17

       
18

       
 

       
	"tangled.sh/tangled.sh/core/appview/pages/markup"


     

       
18

       
19

       
 

       
)


     
···

       
144

       
145

       
 

       
		},


     

       
145

       
146

       
 

       
		"markdown": func(text string) template.HTML {


     

       
146

       
147

       
 

       
			rctx := &markup.RenderContext{RendererType: markup.RendererTypeDefault}


     

       
147

       

       
-

       
			return template.HTML(rctx.RenderMarkdown(text))


     

       

       
148

       
+

       
			return template.HTML(bluemonday.UGCPolicy().Sanitize(rctx.RenderMarkdown(text)))


     

       
148

       
149

       
 

       
		},


     

       
149

       
150

       
 

       
		"isNil": func(t any) bool {


     

       
150

       
151

       
 

       
			// returns false for other "zero" values
+2
appview/pages/markup/markdown.go 
···

       
10

       
10

       
 

       
	"github.com/yuin/goldmark/ast"


     

       
11

       
11

       
 

       
	"github.com/yuin/goldmark/extension"


     

       
12

       
12

       
 

       
	"github.com/yuin/goldmark/parser"


     

       

       
13

       
+

       
	"github.com/yuin/goldmark/renderer/html"


     

       
13

       
14

       
 

       
	"github.com/yuin/goldmark/text"


     

       
14

       
15

       
 

       
	"github.com/yuin/goldmark/util"


     

       
15

       
16

       
 

       
	"tangled.sh/tangled.sh/core/appview/pages/repoinfo"


     
···

       
41

       
42

       
 

       
		goldmark.WithParserOptions(


     

       
42

       
43

       
 

       
			parser.WithAutoHeadingID(),


     

       
43

       
44

       
 

       
		),


     

       

       
45

       
+

       
		goldmark.WithRendererOptions(html.WithUnsafe()),


     

       
44

       
46

       
 

       
	)


     

       
45

       
47

       
 

       



     

       
46

       
48

       
 

       
	if rctx != nil {
+1 -1
appview/pages/pages.go 
···

       
549

       
549

       
 

       
		case markup.FormatMarkdown:


     

       
550

       
550

       
 

       
			p.rctx.RepoInfo = params.RepoInfo


     

       
551

       
551

       
 

       
			p.rctx.RendererType = markup.RendererTypeRepoMarkdown


     

       
552

       

       
-

       
			params.RenderedContents = template.HTML(p.rctx.RenderMarkdown(params.Contents))


     

       

       
552

       
+

       
			params.RenderedContents = template.HTML(bluemonday.UGCPolicy().Sanitize(p.rctx.RenderMarkdown(params.Contents)))


     

       
553

       
553

       
 

       
		}


     

       
554

       
554

       
 

       
	}


     

       
555

       
555